DNS lookups can slow down any system they aren’t quick enough. Or if you have a server that’s doing reverse lookups.

So instead of your computer or server making hundreds or thousands of unneeded dns requests.

Setting up

The config for dnsmasq is in /etc/dnsmasq.conf

Here’s some of the configurations I like to use.

This is where we set the file that will have the actual dns servers


Never forward plain names (without a dot or domain part)


Never forward addresses in the non-routed address spaces.


If you use OpenDNS servers, set this do use servers in order.


Also, if you use OpenDNS, you’ll need this line so it doesn’t redirect google queries


If you have your dns on a remote server, using something like OpenVPN or ssh to route your traffic, you’ll need to bind it


Now put your actual dns servers in /etc/resolv.dnsmasq.conf

# OpenDNS IPv4 nameservers

# OpenDNS IPv6 nameservers
nameserver 2620:0:ccc::2
nameserver 2620:0:ccd::2

And change your /etc/resolv.conf to be

You may also have to disable NetworkManager from changing the dns: In /etc/NetworkManager/NetworkManager.conf



Domain Name System Security Extensions (DNSSEC) is a set of additions to the dns protocol to make it more secure. It uses the domain’s signed requests to make sure they are actually valid.

In the /etc/dnsmasq.conf add or uncomment these lines to enable DNSSEC.


Now some replies are not DNSSEC signed but may still be may be legitimate, because the domain is unsigned, or may be forgeries. This setting will have dnsmasq do some various checks to see if it’s still looks valid. Now this will take a few more dns lookups, but it’s good for security.


The above trust-anchors.conf file is from the main trust using the values from https://data.iana.org/root-anchors/root-anchors.xml

The current one I have is (which you can verify at the above url:

# The root DNSSEC trust anchor, valid as at 18/03/2016

# Note that this is a DS record (ie a hash of the root Zone Signing Key)
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml


To verify if the DNSSEC is working, got to https://www.dnssec-tools.org/

Some tips on dnsmasq

Resolv.conf tips